4707 A trust to a domain was removed
Written when a trust relationship to a domain is removed. Paired with creation 4706, it is a key event for tracking changes to trust configuration.
Overview
The subcategory is Audit Authentication Policy Change. It is generated only on domain controllers. It is recorded when an existing domain trust is removed.
How it is triggered
- Removal of a domain/forest trust by an administrator or tool.
- It occurs on domain controllers.
Security review points
- Removing a trust is a significant configuration change. An unplanned removal affects authentication paths and interoperability, so always investigate.
- An attacker may also reorganize trusts as part of covering tracks or altering configuration. Together with creation 4706 and modification 4716, view who operated on which trust and when.
Notes for log review
- It is normally a rare operation. Even one occurrence is a high-priority event to confirm as a planned change.
- Record the removed trust target and acting subject, and reconcile against change-management records.
Key fields
| Field | Meaning |
|---|---|
Domain Name | The removed trusted domain |
Subject\Account Name | The account that performed the removal |